1 Legal and enforcement framework
1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?
Developers building governance frameworks for blockchain-based applications should generally consider the liability of those in charge of network governance. By way of example, where a decentralised application meant to assist cross-border payments results in terrorist financing, the federal government may want to know:
- the persons with change control over the core features of the application; and
- the persons with change control over governance design.
Governance design thus becomes relevant to developers – especially where the application implicates federal or state law.
Generally speaking, a given application may implicate a range of regulatory regimes, including money transmission, securities, commodities, tax, privacy, consumer protection, anti-fraud, contracts, IP, money laundering, and terrorist financing laws. The issues are often nuanced and require input from specialists who understand both the technology and the discrete area of law.
1.2 How do the foregoing considerations differ for public and private blockchains?
While the foregoing considerations apply equally to public and private blockchains, in private, permissioned systems, the developers behind governance design will work at the company actually governing the application, and likely will be motivated to understand potential liability they and their companies face.
With respect to public blockchains, it may prove more difficult to identify developers and governing entities. While this does not exempt public blockchains from the legal regimes described above, in practice it may make enforcement of those laws more difficult. Developers of public blockchains may also distribute ‘governance tokens', a fact pattern which may also make enforcement difficult.
1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?
Users of a blockchain application should consider whether:
- the application enables a regulated service (eg, money transmission, regulated securities or commodities exchange) or product (eg, security, commodity derivative);
- the creators or operators of the application hold the necessary licences or registrations to enable the product or service;
- the creators or operators of the application are located in the United States or serve US residents;
- an identifiable person or entity is operating or maintaining the application; and
1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
Theoretically, because the breadth of potential blockchain applications is vast, nearly every federal and state regulator may have relevant authority. Most immediately, concerns regarding securities, commodities, tax, anti-terrorism and money transmitter laws are paramount. Those laws are overseen, respectively, by:
- the Securities Exchange Commission (SEC);
- the Commodities Futures Trading Commission (CFTC);
- the Internal Revenue Service;
- the Office of Foreign Asset Control; and
- the Financial Crimes Enforcement Network (FinCEN); and
- state regulators overseeing money transmission.
In addition, some blockchain applications may implicate the authority of agencies with consumer protection or general business protection mandates, such as the Consumer Financial Protection Bureau and the Federal Trade Commission. Federal and state banking regulators may also scrutinise blockchain applications as banks seek to offer blockchain-related services through third-party service providers, and the banking regulators may wish to understand the service provider or outsourcing risks.
1.5 What is the regulators' general approach to blockchain?
No uniform general approach exists among US regulators when it comes to blockchain technology. Each regulator has different mandates, concerns and powers. The SEC concerns itself with protecting investors; maintaining fair, orderly and efficient markets; and facilitating capital formation. As a result, the SEC has focused on, among other things, halting fraudulent and unregistered securities offerings involving blockchain applications. FinCEN concerns itself with preventing money laundering and terrorist financing, and has thus focused on enforcing rules designed to deter and detect criminal uses of virtual currency trading platforms. The CFTC's mission is to protect the integrity, resilience and vibrancy of the derivatives markets, and thus has focused on ensuring that platforms facilitating the trading of derivatives are registered and deterring market manipulation.
These concerns guide a regulator's approach more than the technology itself. However, in order to understand the unique issues presented by the technology, regulators often form a specialised unit within each agency that acts as a liaison with developers and flags major areas of concern for the agency as a whole.
1.6 Are any industry or trade associations influential in the blockchain space?
The most recognisable industry and trade associations in the blockchain space are:
- the Digital Chamber of Commerce;
- the Blockchain Association;
- the Wall Street Blockchain Alliance;
- the Ethereum Enterprise Alliance;
- the Virtual Commodity Association; and
- Coin Center.
2 Blockchain market
2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?
No particular blockchain application is dominant in the United States. However, the most prominent blockchain-based businesses include cryptocurrency exchanges, custodians and mining pools. These businesses often focus on the blockchain protocols with the highest market capitalisation, Bitcoin or Ethereum.
2.2 What potential new applications/protocols are most actively being explored?
Much developer attention is focused on the following, which covers business models, applications and protocols:
- secondary markets for security tokens;
- cryptocurrency-backed exchange traded funds;
- stablecoins and central bank digital currencies;
- borrowing, lending and staking of digital assets; and
- decentralised protocols for trading digital assets and providing liquidity.
2.3 Which industries within your jurisdiction are making material investments within the blockchain space?
Industries making material investments within the blockchain space include:
- venture capital firms;
- investment funds that focus either on investments in blockchain-based assets or on companies focused on blockchain development;
- traditional financial institutions (eg, brokers or dealers developing a blockchain-related product or service); and
- venture arms of successful blockchain companies.
2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?
A number of state-specific blockchain-friendly bills and laws have been enacted within the last three years that have the effect of incentivising the use of blockchain. The Delaware General Corporation Law was amended in 2017 to authorise the use of distributed ledger technology in the administration of Delaware corporate records, including stock ledgers. Wyoming enacted 13 cryptocurrency-friendly laws in 2019, with eight more bills proposed for 2020. One of these laws allow institutions to apply for a charter to operate as a special purpose depository institution, which is recognised as a bank under Wyoming law. The Hawaii Division of Financial Institutions partnered with a third party to launch a sandbox for digital currency companies in March 2020.
3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?
Often, the relevant law does not treat ‘virtual currency' as a defined term. Generally, federal and state regulators treat virtual currency as:
- ‘property' (for tax purposes);
- ‘monetary value' (for money transmission purposes);
- ‘securities' (for securities law purposes); or
- ‘commodities' (for commodities law purposes).
The term ‘virtual currency' is defined in some, but not all, state money transmitter laws. It is not defined in any federal law.
3.2 What anti-money laundering provisions apply to cryptocurrencies?
The Bank Secrecy Act contains anti-money laundering (AML) provisions that apply generally to value transfer, however denominated. The broad applicability of AML provisions means that those laws generally cover the transfer of cryptocurrencies. Relatedly, the Office of Foreign Asset Control oversees laws that prohibit financial transactions with sanctioned entities, and does not have any special exemption for financial transactions that make use of cryptocurrencies.
3.3 What consumer protection provisions apply to cryptocurrencies?
At the federal level, consumer financial products and services – including payments, lending and card services that incorporate blockchain technology – are subject to a range of consumer protection regulations requiring disclosure, reporting or recordkeeping, depending on the specific product or service. The Consumer Financial Protection Bureau oversees the consumer-facing rules. The states also have consumer protection provisions built into their money transmitter and finance lender licence laws. These often take the form of surety bond or net capital requirements for companies that take custody of value – whether cryptocurrency or not – belonging to consumers.
3.4 How are cryptocurrencies treated from a tax perspective?
The Internal Revenue Service (IRS) has indicated that cryptocurrency should be treated as property for federal tax purposes. In addition, the IRS issued a revenue ruling in 2019 regarding the tax consequences for a taxpayer who receives a new cryptocurrency as the result of a ‘hard fork'. That ruling can be found at www.irs.gov/pub/irs-drop/rr-19-24.pdf.
3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?
Depending on its features, a cryptocurrency may be treated as ‘monetary value', a ‘commodity' or a ‘security', each implicating a distinct regulator regime.
A purchaser of or trader in cryptocurrency should avoid engaging in manipulative trading behaviour, money laundering, terrorist financing or funding of illicit activity. If the trader is trading in commodity derivatives (futures, options, swaps), it may be required to register as a futures commission merchant, swap dealer or other regulated entity with the Commodities Futures Trading Commission (CFTC). If the trader is trading in securities, then the trader may be a broker or a dealer subject to registration with the Securities and Exchange Commission (SEC). All traders will have to concern themselves with the tax consequences of each trade.
The regulatory obligations of trading platforms that facilitate the exchange of cryptocurrencies similarly will depend on the types of assets traded. Trading platforms hosting an order book that allows for peer to peer trading of non-security cryptocurrencies may be engaged in money transmission and be subject to federal and state registration and licensing requirements. Trading platforms that facilitate the exchange of cryptocurrency derivatives likely will have to register with the CFTC. A trading platform that brings together multiple buyers and sellers of cryptocurrencies that qualify as securities while also using established, non-discretionary methods under which the orders interact with each other, likely will need to register as a securities exchange.
3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?
The term ‘initial coin offering' and ‘security token offering' are not defined by any law in the United States. The terms of any such offerings may be securities offerings, however, depending on the promises and representations attached to such offerings. Determining whether an initial coin offering or security token offering is an offer or sale of securities requires reference to the definition of ‘security' under federal law, as well as judge-made case law interpreting the definition of ‘security' or ‘investment contract' (a type of security). The seminal case here is SEC v Howey, 328 U.S. 293 (1946). Public securities offerings – whether involving cryptocurrencies or not – require registration with the SEC unless an exemption from registration exists.
4 Smart contracts
4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?
Any document, including a smart contract, can satisfy the legal requirements of a legal contract, assuming that it carries the typical attributes of a contract: there must be offer, acceptance, consideration, a meeting of the minds, competency and capacity.
The determination of the presence of each element will require detailed review of the smart contract and the terms of interacting with it. The code itself may not contain an offer, acceptance or consideration. Often, where a smart contract simply serves an automated recordkeeping function or hosts a sub-ledger of transactions, the elements of a contract listed above do not exist. The elements of a contract may exist, however, if one looks to the broader scheme – offer, acceptance or consideration may exist outside of the four corners of the documented code for the smart contract. Whether the contract is enforceable may depend on the state versions of the Uniform Electronic Transaction Act and the Federal E-SIGN Act, the intent of the signing parties, and whether the cryptographic key used to sign smart contracts may be considered a valid signature.
4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?
Certain states – such as Arizona, Nevada, Ohio and Tennessee – have adopted new laws that define and clarify the enforceability of smart contracts.
4.3 What parts of traditional contract might smart contracts be able to replace?
Arguably, if a smart contract contains the terms that would exist in a typical contract, then it does not ‘replace' those terms; it simply moves them from the traditional contract into a smart contract. Outside of contract terms, parties may wish to automate certain monitoring functions or payment functions required as a business function of the contract – smart contracts may make such automation easier.
4.4 What parts of traditional contracts might smart contracts be unable to replace?
A smart contract may be able to incorporate by reference all terms of a traditional contract. However, that does not mean the smart contract ‘replaces' the part of a traditional contract; it simply moves the terms elsewhere. For any function that arises from the contract that is either too difficult to automate or too bespoke to monitor, smart contracts will have a difficult time offering an efficiency play. For instance, arbitration may be too difficult to automate and enforcement of a force majeure clause may be too bespoke to monitor. In addition, a smart contract is unlikely to offer automation benefits where contract terms are based on reason, industry standards or conscience (eg, reasonableness, best efforts or good faith negotiation provisions).
4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?
Where a smart contract makes possible an automated function that cannot be shut down by any party (ie, no ‘kill switch'), any court order requiring that the smart contract be made unavailable may be unenforceable. Such smart contracts may make asset seizures difficult as well, assuming that a smart contract locks funds and only releases them once a party with access to a private key orders their release.
4.6 What are some practical considerations that parties should consider when drafting a smart contract?
Parties should consider the benefit or disadvantage of coding in a kill switch or mechanism to stop the smart contract from running in certain circumstances. Parties should also consider what data visible on a public blockchain will be stored in the smart contract. Smart contracts that rely on external oracles for data may be vulnerable to unexpected changes to, or cybersecurity threats faced by, the oracle. Parties should consider the possibility of a compromised oracle and the ability to be able to agree on a replacement. Parties should also consider the possibility of bugs or errors in the smart contract, system slowdowns, halts or hard forks in the underlying blockchain that could frustrate its effectiveness.
4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?
Smart contracts running on private blockchains have more flexibility to amend the code, cease or restart operations. This may nullify the kill switch concern entirely, depending on the level of control possessed by the enterprise controlling the private blockchain.
5 Data and privacy
5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?
Due to the global, transparent, open and permanent nature of blockchain, a number of challenges arise when it comes to complying with global and state specific data protection regulations such as the EU General Data Protection Regulation and the California Consumer Privacy Act. Furthermore, the lack of a federal privacy law in the United States means that the considerations need to be assessed on a state-by-state basis.
De-identified or anonymous data is generally exempt from data protection regulations. Where personal data or personally identifiable information (PII) is involved, most developers have published only hashed or encrypted versions of PII, as opposed to the raw data. However, it is still unclear whether certain hashed or encrypted data would constitute de-identified or anonymous data under the different data protection regulations.
Where personal data is published on a public blockchain, it becomes almost impossible to subsequently remove or amend the data. As a result, businesses may be unable to comply with any requests for erasure, and any accidental data breach or private key leakage may result in personal data become permanently public with no way of rectification. Because all full nodes will have downloaded complete copies of a blockchain's ledger, all data that has been uploaded on a blockchain will inevitably be replicated across multiple jurisdictions where the full nodes exist. The inability to prevent or control cross border transfers of personal data may cause businesses using public blockchains to store personal data to violate applicable data protection regulations.
5.2 What potential advantages can blockchain offer in the data protection/privacy context?
Cryptographic proofs such as zero knowledge proofs may be integrated into blockchains to provide verifiable proof of certain facts or claims without revealing any data other than the proof itself. As a result, valuable information (eg, "Alice's age is greater than 21") can be verified while maintaining one's privacy and keeping his or her full birth date private. Zero knowledge proofs also allow transactions to remain fully encrypted while still being verified under a network's consensus rules.
Blockchains can be designed to control access points and track access history in a verifiable manner. It can be therefore used as a way to ensure that one's data can be accessed only by authorised persons and to verify that the data has in fact only been accessed by authorised persons as defined by their private keys.
6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?
Blockchains are vulnerable to attacks where a single miner or mining pool controls more than half of the total hashing power of a proof-of-work network, also known as a 51% attack. Once the attack is successful, an attacker can cause significant network disruptions by excluding new transactions or modifying the order of transactions. A similar attack can occur on a blockchain running on a proof-of-stake network where the attacker has obtained a majority of the relevant voting stake.
Blockchains have historically been described as ‘immutable' due to the high costs and amount of coordination required to amend the ledger. Immutability presents significant challenges where a bug in a smart contract exists and can be continuously exploited, or where an illicit transaction occurs that authorities wish to reverse, but cannot. Even if stolen funds are traceable to a certain public address using blockchain analytics tools, transactions are generally not reversible and there is often no on-chain mechanism to force an attacker to return funds.
Quantum computing may render existing encryption standards obsolete and threaten the security of non-quantum resistant blockchains. Quantum computers can be rented today and used to experiment with attack algorithms and attempts to break public key cryptography.
6.2 What potential advantages can blockchain offer in the cybersecurity context?
Many blockchains are hosted and governed by miners and node operators distributed across the globe. Often, no single person or entity controls a particular blockchain. As a result, public and permissionless blockchains are generally operationally resilient, due to the lack of a single point of failure, both geographically and politically. While it is not impossible to attack a blockchain network, the decentralised and distributed nature of many blockchain applications makes such attacks difficult or expensive.
Blockchains have the advantage of being tamper-proof due to the traceability and auditability of the blockchain's ledger. This means data stored on a blockchain cannot be tampered with or altered without leaving traces or evidence that changes have occurred. These features may allow blockchain analytics companies to follow a trail of funds, determine sources of funds or identify abnormalities in transaction activity long after the events have occurred.
6.3 What tools and measures could be implemented to mitigate cybersecurity risk?
Because the consequences of a bug in the smart contract are so significant, permanent and irreversible, developers may want to consider launching code in a test environment before transitioning onto a public, permissionless blockchain. Developers should commission regular independent audits on their code and offer bug bounties, especially where large amounts of cryptocurrencies are at risk.
When sensitive data or personal data is involved, developers should consider keeping such data off-chain. Even if the sensitive or personal data is hashed or encrypted before being appended onto a blockchain, if the private key is leaked or exposed, there is often no mechanism to remove hashed or encrypted data. Developers should be aware of the risk that underlying data may one day be permanently exposed to the public due to advancements in quantum computing. Developers should therefore consider using quantum resistant algorithms.
Some developers may choose to build a kill switch or administrator key that provides the ability to stop a smart contract's operations or halt network activity in the event of an emergency or cyberattack. This may lower one cybersecurity risk but may also create a new attack vector (ie, the kill switch or key holders).
Custodians or persons in control of large values of cryptocurrencies should consider using multi-signature wallets as an additional guard against the unauthorised transfer of their cryptocurrencies.
7 Intellectual property
7.1 What specific challenges or concerns does blockchain present from an IP perspective?
Many of the most widely used public blockchains (eg, Bitcoin, Ethereum, Hyperledger) have been developed as open source software. This means that the author has released the code under a permissive licence that allows anyone to use and modify it. Where an IP infringement claim is asserted against a developer or entity that has developed on top of open source software, both parties must consider whether the claim is barred by open source restrictions. The type of open source licence of the underlying software may also affect a developer's ability to defend itself or to assert its own IP rights.
7.2 What type of IP protection can blockchain developers obtain?
The four main types of intellectual property that blockchain developers can use to protect their work in the United States are patents (eg, user interfaces), copyrights (eg, smart contract code), trademarks (eg, name and brand) and trade secrets (eg, quantum resistant algorithms).
Registration is not required to secure copyright protection in the United States. Copyright is secured automatically when the work is created; however, registration with the Copyright Office is required in order to bring an infringement suit for works of US origin. Trademark protection may be obtained by federal registration with the US Patent and Trademark Office (USPTO) or arise at common law from actual use of a mark. Patent protection may be obtained by filing a patent application with the USPTO. While no registration necessary to protect trade secrets, every state in the United States has enacted a version of the Uniform Trade Secrets Act, which prohibits the theft or disclosure of trade secrets.
7.3 What are the best open-source platforms that could be used to protect developers' innovations?
Unfortunately, we are not aware of any open-source platform or blockchain that can be used to protect a developer's innovations. The ability of a developer to protect its work is dependent on factors outside of a blockchain, such as attempts by the developer to register the work with the applicable offices, or attempts by the developer to keep certain aspects of the work confidential through the use of non-disclosure agreements.
7.4 What potential advantages can blockchain offer in the IP context?
Blockchains can be used to provide verifiable proof and timestamps that a particular invention was conceived at a certain point in time as prior art to prevent others from obtaining a patent, or to provide evidence of ‘dates of first use' in a trademark application.
If done in conjunction with the USPTO and relevant authorities, a blockchain could potentially be used to create an IP registry to record IP rights instead of a traditional database. An IP registry could also be used to collect information on the use of a trademark, allowing the USPTO to be notified in real time of timestamped evidence of actual use.
8 Trends and predictions
8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?
Each year brings new guidance regarding blockchain technology across a range of laws within the United States. Predicting the evolution of the space requires first predicting how the technology will develop over time. As cryptocurrencies are issued by central banks, regulators may adapt the anti-money laundering provisions to account for new risks posed by transfer of such value. As decentralised exchanges proliferate or allow for unregistered trading of unregistered securities, regulators may develop innovative enforcement theories to ensure such exchanges do not promote violations of law. As consumers forget about funds left on exchanges, states will have to discern how to adapt their escheatment requirements to account for an asset that they are not used to holding. As the markets evolve and mature, the Securities and Exchange Commission may approve an exchange traded fund; or the Commodities Futures Trading Commission may approve additional futures, options or swaps exchanges. As cryptocurrency exchanges seek to offer nationwide, internet-only offerings, state regulators may be pushed towards uniformity in the application of their laws or in their examination process.
8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?
We often publicly advocate for common-sense changes to regulation that can have a net positive effect on financial technology companies without undermining the spirit of the law. We host those positions here: https://ketsal.com/blog/.
8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?
Many developers have attempted to solve for consumer adoption of blockchain technology generally. We note that where blockchain technology makes available a new line of business responsive to consumer demand, it has helped adoption. For instance, as alternatives to Bitcoin developed, ‘altcoin' exchanges arose as passion projects to allow users to turn their Bitcoin into other cryptocurrencies. The model to charge a transaction fee for each trade proved to be a lucrative move for those businesses; and in turn, those revenues have paid for marketing of the exchange's services, which has led to greater consumer adoption. Any business model that generates revenue and turns some of that revenue into marketing will increase adoption of blockchain technology relevant to the business line. The largest impediment, in our view, is the difficulty of developing a novel business line that attracts consumers and to simultaneously manage the compliance risk, which can often carry an unknown, unpredictable cost.
9 Tips and traps
9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?
The regulatory landscape is continuously changing, expanding and being clarified on an ongoing basis. Not only must developers, businesses and users consider US state and federal laws, the global nature of the technology means that there are also international standards, organisations and foreign laws to consider. Our top three tips when considering blockchains are as follows:
- Stay on top of regulatory changes – often, blockchain projects venture into highly regulated areas involving payments, lending, card or money transmission issues.
- Blockchain technology is new, but iterative – be cautious when building on new blockchains, hire a code auditor and learn from the mistakes of platforms that attempted to build a project, but failed in the first major wave of decentralised application development in 2018.
- Know when not to use a blockchain – it is not a panacea, but it can certainly lead to efficiencies if used in the proper context.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.